b'   November 25, 2002\n\n\n\n\nInformation System Security\nGovernment Information Security\nReform Act Implementation:\nDefense Advanced Research\nProjects Agency Management\nSupport System\n(D-2003-027)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax\n  (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                        Communications, and Intelligence)\nDAA                   Designated Approving Authority\nDARPA                 Defense Advanced Research Projects Agency\nDITSCAP               DoD Information Technology Security Certification and\n                        Accreditation Process\nDMSS                  Defense Advanced Research Projects Agency Management\n                        Support System\nGISR                  Government Information Security Reform\nSSAA                  System Security Authorization Agreement\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-027                                               November 25, 2002\n  (Project No. D2002LD-0101)\n\n     Government Information Security Reform Act Implementation:\n            Defense Advanced Research Projects Agency\n                    Management Support System\n\n                                Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who are involved in\nimplementing Government Information Security Reform Act (GISR Act) requirements\nshould read this report. The report discusses our independent assessment of the\ninformation security posture of the Defense Advanced Research Projects Agency\n(DARPA) Management Support System, a DARPA system.\n\nBackground. To gather data on assessments of the effectiveness of DoD information\nassurance policies, procedures, and practices, DoD developed a GISR Act collection matrix\nfor automated information systems. DoD selected a sample of 560 automated information\nsystems from the almost 4,000 automated information systems in DoD. For those 560\nsystems, DoD reported the aggregate results of the assessments for FY 2001 in \xe2\x80\x9cGISR\nReport FY01: Government Information Security Reform Act, Report of the Department of\nDefense,\xe2\x80\x9d October 2001. Of the 560 systems, the Office of the Inspector General of the\nDepartment of Defense, the Defense Information Systems Agency Inspector General, and\nMilitary Department audit agencies assessed a sample of 115 systems. This report is one in\na series of GISR Act audits and is an assessment of the DARPA Management Support\nSystem. The DARPA Management Support System is a mission-essential system that\nsupports DARPA and its various technical and support offices.\n\nResults. The data reported for the DARPA Management Support System in the GISR\nAct collection matrix for FY 2001 were partially inaccurate as of August 1, 2001, the\ndate of the FY 2001 collection matrix data. DARPA answered 5 of the 32 collection\nmatrix data fields incorrectly. Also, DARPA did not provide documentation that\nsupported 8 of the 32 responses. Additionally, the key DARPA information assurance\nstaff positions were not aligned in a way that ensures segregation of duties and the\nrequired checks and balances in the DoD Information Technology Security Certification\nand Accreditation Process for the DARPA Management Support System. Furthermore,\nDARPA did not formally appoint three of the four key information assurance staff\npositions required to ensure the appropriate checks and balances during the certification\nprocess. Also, the designated approving authority was not within the operational chain of\ncommand, as the DoD Information Technology Security Certification and Accreditation\nProcess requires. Further, DARPA did not provide support that it had verified that the\ncontractors working on the system had proper security clearances. As a result, the\nDARPA Management Support System may not have adequate information security\noperational controls that ensure sensitive information is safeguarded. For details of the\naudit results, see the Finding section of the report.\n\x0cManagement Comments and Audit Response. DARPA nonconcurred with the finding\nand the recommendations. DARPA disagreed that 5 of the 32 matrix responses were\nincorrect and that insufficient information was provided for 8 other responses. DARPA\nalso reported that the DARPA Management Support System was formally accredited on\nSeptember 6, 2002 which included documentation of the certification authority, project\nmanager, and user representative positions. Where appropriate, we revised our\ndiscussion of matrix responses as a result of the DARPA comments. However, those\nrevisions did not alter our finding. DARPA nonconcurred with the three report\nrecommendations, stating that the alignment of its information assurance staff positions\nwas correct and appropriate. DARPA also stated that the designated approving authority\nand certification authority are separate and independent from each other. Further,\nDARPA stated that security clearance documentation for information systems contract\nsupport personnel had always existed and that it would provide this information if\nrequested. The DARPA responses to the recommendations were nonresponsive.\nDARPA did not address the formal appointment of the three key information assurance\nstaff positions and did not address the organizational alignment of those positions to\nensure checks and balances. Additionally, DARPA did not provide supporting\ndocumentation that verified the independence of the designated approving authority and\nthe certification authority and the security clearance levels for the information systems\ncontract support personnel with access to the DARPA Management Support System. We\nrequest that DARPA reconsider its position on the recommendations and provide\nadditional comments in response to the final report by January 24, 2003. See the Finding\nsection and Appendix C for a discussion of management comments and the Management\nComments section for the complete text of the comments.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                       i\n\nBackground                                                              1\n\nObjectives                                                              2\n\nFinding\n     Defense Advanced Research Projects Agency Management Support\n        System Information Security                                     3\n\nAppendixes\n     A. Scope and Methodology                                          16\n     B. Government Information Security Reform Act Collection Matrix\n         Submission                                                    17\n     C. Summary of DARPA Comments on the Finding and Audit Response    27\n     D. Report Distribution                                            37\n\nManagement Comments\n     Defense Advanced Research Projects Agency                         39\n\x0cBackground\n    Government Information Security Reform. On October 30, 2000, the President\n    signed the Floyd D. Spence National Defense Authorization Act for FY 2001\n    (Public Law 106-398), which includes title X, subtitle G, the \xe2\x80\x9cGovernment\n    Information Security Reform\xe2\x80\x9d (GISR) Act. Subtitle G directs that the Government\n    ensure effective controls for highly networked Federal information resources;\n    management and oversight of information security risks; and a mechanism for\n    improved information system security oversight and assurance for Federal\n    information security programs. The GISR Act directs each Federal agency (DoD\n    for purposes of this report) to annually evaluate its information security program\n    and practices and, as part of the budget process, submit the results of the\n    evaluation to the Office of Management and Budget. The GISR Act covers both\n    unclassified and national information security systems and creates a comparable\n    security management framework for each. The GISR Act also requires that the\n    agency Inspector General or other independent agent evaluate the agency\n    information security program and practices. Also, the GISR Act requires each\n    agency Inspector General or other independent agency to select and test a subset of\n    systems that will confirm the effectiveness of the information security programs.\n\n    DoD Responsibilities. The GISR Act directs DoD to annually evaluate its\n    information security program and practices. The DoD uses information\n    technology for thousands of processes that are integral to support and operational\n    functions. Mission-critical, mission-essential, and support-function processes, or\n    applications, reside on computer systems throughout DoD. Applications for the\n    DoD Components include financial accounting; personnel; pay and disbursement;\n    materiel shipping, receiving, and storing; munitions maintenance; and weapon\n    systems-associated applications.\n\n    The GISR Act directs that DoD as part of the budget process submit the results of\n    their annual evaluation to the Office of Management and Budget. Office of\n    Management and Budget guidance, memorandum 01-24, \xe2\x80\x9cReporting Instructions\n    for the Government Information Security Reform Act,\xe2\x80\x9d June 22, 2001, directs the\n    Secretary of Defense to transmit the FY 2001 annual evaluation of information\n    security program and practices to the Office of Management and Budget by\n    October 1, 2001. The Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) (ASD[C3I]) formed and chaired an Integrated\n    Process Team to develop and finalize the guidance and methodology for DoD\n    reporting of the GISR Act. The Integrated Process Team developed a 32-column\n    spreadsheet--GISR Act collection matrix--to gather data on assessments of the\n    effectiveness of DoD information assurance policies, procedures, and practices.\n    DoD required the FY 2001 GISR Act collection matrix data completion as of\n    August 1, 2001.\n\n    Inspector General Responsibilities. Office of Management and Budget issued\n    memorandum 01-08, \xe2\x80\x9cGuidance on Implementing the Government Information\n    Security Reform Act,\xe2\x80\x9d in January 2001 to provide implementation instructions for\n    Federal agencies in carrying out the GISR Act. Guidance specific to the duties of\n    each Inspector General as an independent evaluator was also included in that\n    memorandum. The Office of Management and Budget guidance states that each\n\n\n                                        1\n\x0c    Inspector General or independent evaluator \xe2\x80\x9cshould perform an annual evaluation\n    of the agency\xe2\x80\x99s security program and practices. This includes testing the\n    effectiveness of security controls for an appropriate subset of agency systems.\xe2\x80\x9d\n    Although the GISR Act applies to all Government information systems, Office of\n    Management and Budget acknowledged that agencies could not review all of those\n    systems every year. As a result, the independent evaluation should identify and\n    assess a logical representative sampling of systems that can be used to form the\n    basis of a conclusion regarding the effectiveness of an agency\xe2\x80\x99s overall security\n    program.\n\n    DoD Systems. The Office of the Inspector General of the Department of Defense\n    developed a stratified random sample from the population of automated information\n    systems the DoD evaluated and reported for FY 2001 in the \xe2\x80\x9cGISR Report FY01:\n    Government Information Security Reform Act, Report of the Department of\n    Defense,\xe2\x80\x9d October 2001 (DoD GISR Act Report). DoD selected and reported in the\n    DoD GISR Act Report on a sample of 560 automated information systems from the\n    almost 4,000 systems listed in the DoD Information Technology Registry.1 The\n    Office of the Inspector General of the Department of Defense stratified random\n    sample included 115 systems from the universe sample of 560 systems that were\n    reported on in the DoD GISR Act Report. The audit agencies for the Military\n    Departments and the Defense Information Systems Agency Inspector General were to\n    evaluate 91 of the 115 information systems in the sample by August 2, 2002. The\n    Office of the Inspector General of the Department of Defense was to evaluate the\n    remaining 24 systems that support DoD agencies and activities. This report discusses\n    the evaluation of 1 of the 24 DoD-level systems, the Defense Advanced Research\n    Projects Agency (DARPA) Management Support System (DMSS).\n\n    DoD Information Security Program. DoD Instruction 5200.40, \xe2\x80\x9cDoD\n    Information Technology Security Certification and Accreditation Process,\n    (DITSCAP),\xe2\x80\x9d December 30, 1997 (hereafter referred to as DITSCAP), provides the\n    procedures for certification and accreditation of information technology to include\n    information systems, networks, and sites in DoD. It also assigns responsibilities for\n    oversight and implementation of the certification and accreditation process.\n    DITSCAP is to be used as guidance throughout the certification and accreditation\n    process. DoD Manual 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology\n    Security Certification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\n    July 2000, provides implementation guidance that standardizes the certification and\n    accreditation process throughout DoD.\n\n\nObjectives\n    Our overall audit objective was to assess DMSS for implementation of the GISR\n    Act requirements of the Floyd D. Spence National Defense Authorization Act for\n    FY 2001. See Appendix A for a discussion of the audit scope and methodology.\n\n    1\n        The Information Technology Registry was established in response to requirements contained in\n        section 8102(a) of the National Defense Appropriation Act for FY 2001 and section 811(a) of\n        the National Defense Authorization Act for FY 2001. The DoD registry must contain all of the\n        fielded mission-critical and mission-essential systems as well as all the mission-critical and\n        mission-essential systems that are in development.\n\n\n                                                  2\n\x0c             Defense Advanced Research Projects\n             Agency Management Support System\n             Information Security\n             Data reported for DMSS in support of the implementation of the GISR\n             Act requirements for FY 2001 were partially inaccurate as of\n             August 1, 2001. DARPA2 answered 5 of the 32 GISR Act collection\n             matrix data fields incorrectly. Also, DARPA did not provide\n             documentation that supported 8 of the 32 collection matrix responses.\n             Additionally, the key DARPA information assurance staff positions were\n             not aligned in a way that ensures segregation of duties and the required\n             checks and balances in the DITSCAP for DMSS. Furthermore, DARPA\n             did not formally appoint three of the four key information assurance staff\n             positions required to ensure the appropriate checks and balances during\n             the certification process. Also, the Designated Approving Authority\n             (DAA) was not within the operational chain of command, as DITSCAP\n             requires. Further, DARPA did not provide support that they had verified\n             that the contractors working on the system had proper security clearances.\n             As a result, DMSS may not have adequate information security\n             operational controls that ensure sensitive information is safeguarded.\n\nMission and System Information\n    The DARPA mission is to develop imaginative, innovative, and often high-risk\n    research ideas offering a significant technological impact that will go well beyond\n    the normal evolutionary developmental approaches. DARPA pursues the ideas from\n    demonstration of the technical feasibility through development of prototype systems.\n\n    System Background. DMSS is a mission-essential3 system that supports\n    DARPA and its various technical offices and support offices. DMSS is a local\n    area network, in Arlington, Virginia, and consists of interconnected systems that\n    provide access to unclassified local area networks and remote workstations. The\n    DMSS network mission is to provide standard automation functions and financial\n    transaction tracking.\n\n    Contract Support. In September 2001, DARPA contracted for DMSS hardware,\n    software, and systems support. The contractor provided computers, printers, and\n    other equipment; the software and site licenses that comprise DMSS; and\n    maintenance of the system. Additionally, the contractor would provide the\n    certification and accreditation documentation of the system that DITSCAP required.\n\n\n\n\n    2\n     DARPA is the program office for DMSS.\n    3\n     Mission-essential systems are those systems that are basic and necessary for the accomplishment\n     of an organization\xe2\x80\x99s mission.\n\n\n                                               3\n\x0c    System Configuration. DMSS is an unclassified network, but all data is\n    considered sensitive. The DMSS network provides financial tracking services,\n    software development for financial applications, security protection services, print\n    services, file services, database services, application services, web services,\n    remote access, Virtual Private Network services, e-mail services, facsimile\n    services, scheduling/calendaring and archive facilities for network servers and\n    user workstations. DMSS uses commercial off-the-shelf software, such as the\n    Microsoft Office Suite products (Access, Excel, Outlook, PowerPoint, and Word).\n\nData Collection Matrix\n    DARPA provided the response for the DMSS to ASD(C3I) as of August 1, 2001,\n    and the data reported were partially inaccurate. In response to the GISR Act\n    requirement for each Federal agency to annually evaluate and report on its\n    information security program and practices, ASD(C3I) developed a GISR Act data\n    collection matrix (the matrix) for DoD. The Assistant Secretary developed the\n    matrix as a management tool to track information assurance trends and outcomes.\n    The matrix consisted of a spreadsheet divided into four sections for data. Section\n    titles included identifying information, accreditation information, assessment\n    criteria information, and operations and assessments interest items.\n\n    In response to the information requested in the matrix, DARPA was generally\n    required to answer yes, no, or provide a date for action completed. With the\n    exception of a special section that could be used for augmenting comments, no\n    other explanation was required or expected. A discussion of each section of the\n    matrix, the data that DARPA reported in the matrix for DMSS, and our analysis\n    of the data follows. Appendix B contains the DMSS information submitted by\n    DARPA for three of the four sections of the matrix. The section of the matrix that\n    requested identifying information is not presented in Appendix B.\n\n    Identifying Information. DARPA was requested to provide the system/network\n    name, acronym, component owner, and information technology classification\n    (mission critical or mission essential) in the identifying information section of the\n    matrix. DARPA responded in the matrix that DMSS was under the component\n    ownership of DARPA and was classified as a mission-critical information\n    technology system. We verified that the identification information in the matrix\n    was incorrectly reported because DMSS was not a mission-critical system but a\n    mission-essential system as stated in the DoD Information Technology Registry.\n\n    Accreditation Information. DARPA was requested to provide in the\n    accreditation information section of the matrix the date of accreditation\n    certification, date of interim certification, the accreditation method, and whether\n    formal documentation for certification and accreditation existed.\n\n\n\n\n                                          4\n\x0c        Accreditation Date. DARPA was requested to provide the date that an\naccreditation process accredited DMSS. DoD Directive 5200.28, \xe2\x80\x9cSecurity\nRequirements for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988,\nestablishes the minimum-security requirements for DoD automated information\nsystems. DITSCAP implements the Directive, assigns responsibility, and\nprescribes procedures for certification and accreditation. DARPA responded in the\nmatrix that the accreditation is pending. We verified that the DARPA response\nwas appropriate. DARPA did not place a date in the field because DMSS was in\nthe process of applying DITSCAP requirements. The DARPA goal was to accredit\nthe DMSS by September 30, 2002. However, DARPA reported in the\nmanagement comments to the draft report that DMSS was accredited on\nSeptember 6, 2002.\n\n        Interim Certification Date. DARPA was requested to provide the date\nthat an interim authority to operate was granted. According to the provisions of\nDITSCAP, interim authority should be based on the establishment of an acceptable\nlevel of risk in operating the system. DARPA responded in the matrix that an\ninterim authority to operate was granted to DMSS on July 15, 2001. We verified\nthat the matrix response was essentially correct although the date of the interim\nauthority to operate should have been July 17, 2001. The DAA, Director of the\nSecurity and Intelligence Directorate granted interim authority to operate the\nDMSS. That interim authority was valid for 3 months. Since July 17, 2001,\ninterim authority was renewed three times. The most recent interim authority to\noperate the DMSS was granted February 22, 2002. Although the interim authority\nwas valid until September 30, 2002, DARPA reported in the management\ncomments to the draft report that DMSS was accredited on September 6, 2002.\n\n        Accreditation Method. DARPA was requested to identify whether DMSS\nwas accredited under DITSCAP and, if not under DITSCAP, to describe other\naccreditation and certification procedures. Several policies govern actions of\nDMSS program officials, but DITSCAP is the principal governing document for\nrisk assessment and mitigation of DoD information technology systems.\nDITSCAP establishes the oversight mechanism that ensures identification of\nappropriate information to certify, accredit, and maintain a program\xe2\x80\x99s security.\nDARPA responded in the matrix that they were using DITSCAP to certify and\naccredit the DMSS. We verified that the response was incorrect and that the\nDMSS was following DITSCAP procedures, but DARPA should have responded\n\xe2\x80\x9cno\xe2\x80\x9d to the question because as of August 1, 2001, DMSS was not accredited.\nDARPA reported in the management comments to the draft report that DMSS was\naccredited on September 6, 2002.\n\n        Certification and Accreditation Documentation. DARPA was\nrequested to identify whether formal documentation existed that the Inspector\nGeneral of the Department of Defense or other entities could use to verify\naccreditation. DITSCAP requires a System Security Authorization Agreement\n(SSAA) for each information technology system. The SSAA is a formal and\nbinding document among the system program manager, the DAA, the certifying\nauthority, and the user representative that establishes the level of security\nrequired. The SSAA guides the process and documents the results for\ncertification and accreditation as well as implementation of information\ntechnology security requirements. DARPA responded in the matrix that they did\n\n\n                                   5\n\x0cnot have formal documentation in effect for the DMSS certification and\naccreditation process. We confirmed that DARPA did not have formal\ndocumentation for the DMSS certification and accreditation process as of\nAugust 1, 2001. Since then, DARPA has developed an in-process4 SSAA.\n\nAssessment Criteria Information. DARPA was requested to confirm that\ninformation assurance controls and plans in the assessment criteria information\nsection of the matrix existed. According to the instructions provided for the matrix,\nASD(C3I) developed the assessment criteria information section to assess selected\nsystems on the basic program management, controls, and procedures that exist as\npart of the operation of the system.\n\n         Access Controls. DARPA was requested to identify whether access controls\nwere in place. ASD(C3I) defined access controls as controls that limited access of\ninformation system resources to authorized users, programs, processes, or other\nsystems. DARPA responded in the matrix that access controls were in place.\nDARPA did not provide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response for having\naccess controls in place as of August 1, 2001. As a result, we could not verify the\nresponse. However, subsequent to August 2001, we were able to verify that access\ncontrols had been implemented. Those access controls that DMSS used included:\nusers were required to identify themselves during system login through the use of a\nprotected mechanism (such as passwords) to authenticate user identity and user\naccounts; user accounts are locked out and service will be denied for 60 minutes\nafter five unsuccessful login attempts; and passwords expired every 90 days.\n\n        Risk Assessment and Management Plan. DARPA was requested to\nidentify whether a risk assessment and management plan had been completed.\nASD(C3I) defined risk as the possibility of something adverse happening; risk\nassessment as the process of analyzing threats and vulnerabilities of an\ninformation system and the potential impact of lost information; and risk\nmanagement as the process of assessing risk, taking steps to reduce risk to an\nacceptable level, and maintaining that level of risk. DARPA responded in the\nmatrix that a risk assessment and management plan was completed. We verified\nthat DARPA had a risk assessment and management plan completed as of\nAugust 1, 2001. The plan listed procedures for determining minimum\ninformation system security requirements.\n\n       System Life-Cycle Plan. DARPA was requested to identify whether a\nsystem life-cycle plan existed. System life-cycle plan guidance that ASD(C3I)\nprovided with the matrix was that many system life-cycle models exist but most\ncontain five basic phases: initiation, development and acquisition, implementation,\noperation, and disposal. DARPA responded in the matrix that a DMSS System\nLife-Cycle Plan was not completed. We confirmed that when DARPA submitted the\nmatrix data as of August 1, 2001, they had not developed a DMSS System\n\n\n\n4\n    The audit team could not determine the status of many of the documents developed after\n    August 1, 2001. DARPA responded that the documents were operational documents rather than\n    draft or final (approved) documents. As a result, we identified the documents as in-process to\n    indicate that they are not final documents, but are apparently being used by DARPA.\n\n\n\n                                             6\n\x0cLife-Cycle Plan. However, DARPA has a system life-cycle requirement that called\nfor hardware and software to be replaced when or before either reaches a\npredetermined age.\n\n        System Security Plan. DARPA was requested to identify whether a\nsystem security plan was in place. ASD(C3I) defined a system security plan as an\noverview of the security requirements of a system, a description of the controls in\nplace or the controls planned for meeting those requirements, and delineation of\nresponsibilities and expected behavior of the individuals who access the system.\nDARPA responded in the matrix that a DMSS System Security Plan was not\ncompleted. We confirmed that when DARPA submitted the matrix data as of\nAugust 1, 2001, they had not developed a DMSS System Security Plan.\nHowever, since that time, DARPA developed a DMSS System Security Plan.\nThe plan serves as a security policy document and provides security services for\nprotection of information systems. Further, the plan identifies security\nmechanisms in place on the DMSS and was expanded to include security policies\nand procedures necessary to support the changing environment.\n\n        Personnel Security Measures. DARPA was requested to identify\nwhether proper personnel security measures were in place. ASD(C3I) defined\npersonnel security measures as a broad range of security issues related to how\nhuman users, designers, implementers, and managers of software and hardware\ninteract with computers, and the access and authorities needed to do their jobs.\nDARPA responded in the matrix that DMSS had personnel security measures in\nplace. DARPA did not provide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response\nfor having personnel security measures in place as of August 1, 2001. As a result,\nwe could not verify the response. Subsequent to August 2001, we were able to\nverify that personnel security measures had been implemented. DMSS had\nsegregation of duties, with varying levels of control: the individual must have at\nleast a SECRET clearance and been granted access to the system based on a\n\xe2\x80\x9cneed to know;\xe2\x80\x9d the individual received appropriate training in system\ncapabilities and security procedures; and foreign nationals who possess a\nSECRET clearance may be granted access to the DMSS only after written\napproval of the DAA and only to the unclassified network. DMSS password\nprotection procedures required that passwords change every 90 days and accounts\nare terminated either when the user is no longer employed or for misuse.\n\n        Physical Security Controls. DARPA was requested to identify whether\nphysical security controls were in place. ASD(C3I) defined physical security and\nenvironment security as the measures taken to protect systems, buildings, and\nrelated supporting infrastructures against threats associated with their physical\nenvironment. DARPA responded in the matrix that DMSS had physical security\ncontrols in place. We verified that physical security controls were in place as of\nAugust 1, 2001. An electronic card access system controlled primary access to\nthe DARPA office suites on a 24-hour basis. In addition, closed-circuit television\ncameras provided coverage of the exterior perimeter doors and the sidewalks\nimmediately adjacent to the building. Unarmed guard patrols were conducted\naround the building perimeter and the office spaces after hours. Since August 1,\n2001, DARPA implemented additional physical security controls. They include\n\n\n\n\n                                     7\n\x0can Arlington County policy officer stationed outside the DARPA main building\n24 hours a day and the revocation of on-the-street parking adjacent to the DARPA\nbuilding.\n\n        Administrative Controls. DARPA was requested to identify whether\nadministrative controls were in place. ASD(C3I) did not define administrative\ncontrols but suggested that administrative controls included the presence of a help\ndesk and audit trail. Administrative controls are designed to promote operational\nefficiency and adherence to system policies and procedures. DARPA responded\nin the matrix that DMSS had administrative controls in place. However, DARPA\ndid not provide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of\nAugust 1, 2001. As of August 1, 2001, we verified that DARPA had a help desk,\nbut we could not verify that DARPA had established audit trails. However,\nDARPA provided documentation indicating that audit trails had been established\nsubsequent to August 1, 2001.\n\n        Contingency Plans. DARPA was requested to identify whether\ncontingency plans were in place and, if so, when the last time was that a\ncontingency drill, data loss drill, or power loss drill occurred. ASD(C3I) defined\ncontingency planning as involving more than simply planning for a move offsite\nafter a disaster destroys a facility. Contingency planning was to also include how\nto keep an organization\xe2\x80\x99s critical functions operational in the event of disruptions,\nboth large and small. DARPA responded in the matrix that DMSS had a\ncontingency plan in place. We verified that DARPA had a contingency plan\nfor 2000; however, DARPA should have responded \xe2\x80\x9cno\xe2\x80\x9d because the \xe2\x80\x9cyes\xe2\x80\x9d\nresponse was based on the 2000 Contingency Plan. That plan discussed two\nDARPA mission-essential systems: the main DARPA building and the financial\ninformation system. The plan does not mention DMSS or similar local area\nnetwork system that predated DMSS.\n\nDoD Directive 5200.28 requires periodic testing of contingency plans for\nmission-critical systems and encourages contingency plans for all systems.\nDARPA responded in the matrix that DMSS was last exercised December 30, 1999.\nWe verified that the contingency plan was exercised in the December 1999 time\nframe. However, DARPA should not have answered with a date because the\nexercise was based on a year 2000 contingency plan. Furthermore, the\n2000 Contingency Plan exercise focused only on interruptions for 2000.\n\nSince August 2001, DARPA developed an in-process Business Resumption Plan\nthat provides the procedures necessary to recover critical DARPA business\nfunctions in the event of a disaster.\n\n        Hardware and System Software Maintenance Plans. DARPA was\nrequested to identify whether hardware and software maintenance plans were in\nplace. ASD(C3I) defined hardware and software maintenance plans as controls\nused for monitoring the installation of, and update to, hardware and software to\nensure that the system functions as expected and that a historical record of\nchanges is maintained. DARPA responded in the matrix that DMSS had\nhardware and system software maintenance plans in place. However, DARPA\ndid not provide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of\nAugust 1, 2001. As a result, we could not verify the response.\n\n\n                                      8\n\x0cSubsequent to August 2001, we were able to verify that DARPA has a\nconfiguration management plan, used to manage configuration of hardware and\nsoftware. In addition, DARPA chartered the DARPA Configuration Control\nBoard to control the DMSS configuration. The board was to establish procedures\nfor controlling changes in configuration items.\n\n        Data Integrity Process. DARPA was requested to identify whether data\nintegrity processes were in place. ASD(C3I) defined data integrity processes as\ncontrols used to protect data from accidental or malicious alteration or destruction\nand used to provide assurance for users that the information met expectations\nabout its quality and integrity. DARPA responded in the matrix that DMSS had\ndata integrity processes in place. DARPA did not provide documentation that\nsupported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001. As a result, we could not\nverify the response. However, DARPA has subsequently developed in-process\ndocuments indicating that DMSS currently has a data integrity process in place.\nVirus scans and communication encryption software protected the DMSS.\n\n        Security Incident Response Plan. DARPA was requested to identify\nwhether a security incident response plan was in place. ASD(C3I) defined a\nsecurity incident response plan as a formal description and evaluation of risks to an\ninformation system, and a process that identified and applied countermeasures\ncommensurate with the value of the assets protected based on a risk assessment.\nAn incident response plan should have help capability when an adverse event in a\ncomputer system or network causes a failure of a security mechanism or when an\nattempted breach of those mechanisms occurs. DARPA responded in the matrix\nthat DMSS had a security incident response plan in place. DARPA did not\nprovide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001. As\na result, we could not verify the response. Further, DARPA did not provide\ndocumentation to indicate the current status of the existence of a security incident\nresponse plan.\n\nOperations and Assessments Interest Items. DARPA was requested to identify\nspecific operational assessment mechanisms that existed as part of the operation of\nthe system and to provide general comments that would augment reporting efforts\non basic program management, controls, and procedures. ASD(C3I) did not\nprovide definitions for reporting elements contained in the operations and\nassessments interest items section of the matrix. Information contained in that\nsection included network protections, vulnerabilities, and assessments.\n\n       Network Protections. ASD(C3I) requested data on the network security\nfunctions of intrusion detection software and firewalls from DARPA.\n\n               Intrusion Detection Software. DARPA was requested to identify\nwhether intrusion detection software protected the DMSS. Intrusion detection\nsoftware inspects all inbound and outbound network activity and identifies\nsuspicious patterns that may indicate a network or system attack from someone\nattempting to break into or compromise a system.\n\n\n\n\n                                     9\n\x0c               Firewalls. DARPA was requested to identify whether boundary\nprotections, such as firewalls, for DMSS were present. A firewall is a boundary\nprotection system that limits access between networks to prevent intrusions from\noutside the network. A firewall stops external intrusions, but does not detect an\nattack from inside the network. DARPA responded in the matrix that intrusion\ndetection software protected DMSS and that DMSS had boundary protection in\nplace. DARPA did not provide documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d responses\nas of August 1, 2001. As a result, we could not verify the responses. However,\nDARPA developed in-process documents since August 2001 that confirm\nintrusion detection software and boundary protection (firewalls) protect DMSS.\n\n       Vulnerabilities. ASD(C3I) requested DMSS information from DARPA\nconcerning the red and blue team assessment, connections, information assurance\nvulnerability alert process, and the vulnerability analysis and assistance program.\n\n                Red and Blue Team Assessment. DARPA was requested to identify\nthe date for the most recent red and blue team assessment. According to a dictionary\nand reference guide used by the GISR Act Integrated Process Team, a red team is a\nsimulated opposing force that uses active and passive actions, as well as technical\nand non-technical capabilities, to expose and exploit information operation\nvulnerabilities of a blue team (a simulated friendly force). DARPA responded in the\nmatrix that DMSS had a blue team assessment performed on February 8, 2000. The\nDARPA response was incorrect. DARPA should not have answered with a date\nbecause, according to the DARPA comments on the draft report, an independent\nvulnerability assessment was performed on February 8, 2000, not a blue team\nassessment. The blue team assessment was performed in 2002.\n\n               Connections. DARPA was requested to identify whether DMSS\nhad a connection approval to connect to a larger backbone network. Connections\nare system interfaces to other information systems used for transmitting or\nreceiving data. DARPA responded in the matrix that the DMSS interface\nconnections were approved. The DARPA response was correct. DARPA stated\nit had a waiver, granted by ASD(C3I), to connect to the Internet.\n                Information Assurance Vulnerability Alert. DARPA was\nrequested to identify whether DMSS was fully information assurance vulnerability\nalert compliant in both acknowledging and adhering to information assurance\nvulnerability alerts. An information assurance vulnerability alert is a process that\nincorporates identification and evaluation of new vulnerabilities, disseminates\ntechnical responses, and tracks compliance within DoD. Alerts are generated\nwhen a critical vulnerability that poses an immediate threat to DoD exists.\nDARPA responded in the matrix that DMSS was fully information assurance\nvulnerability alert compliant. We confirmed that the DARPA response was\nappropriate as of August 1, 2001; DMSS was information assurance vulnerability\nalert compliant.\n\n               Vulnerability Analysis and Assistance Program. DARPA was\nrequested to identify whether DMSS had a vulnerability analysis and assistance\nprogram assessment. According to a dictionary and reference guide used by the\nGISR Act Integrated Process Team, a vulnerability analysis and assistance\nprogram was a survey of the Non-Secure Internet Protocol Router Network, the\n\n\n                                    10\n\x0c    SECRET Internet Protocol Router Network, and Joint Worldwide Intelligence\n    Communications System networks for common computer security vulnerabilities.\n    DARPA provided an \xe2\x80\x9cNA\xe2\x80\x9d response in the matrix. We confirmed that the\n    DARPA response was appropriate as of August 1, 2001, and no vulnerability\n    analysis and assistance program assessment had been performed.\n\n              Assessments. DARPA was requested to identify the dates for the most\n    recent:\n                 \xe2\x80\xa2   Joint Staff integrated vulnerability assessment,\n                 \xe2\x80\xa2   system requirements reviews,\n                 \xe2\x80\xa2   balance survivability assessment, and\n                 \xe2\x80\xa2   integrated vulnerability assessment.\n\n           DARPA responded in the matrix that none of these assessments had been\n    performed. We confirmed that the DARPA responses were correct as of\n    August 1, 2001, because the reporting elements in the section were specific\n    assessments and technical controls that not all systems were required to perform.\n\nSite Operational Review\n    We performed a site operational review at DARPA headquarters, Arlington,\n    Virginia, to verify that information security operational controls were in place for\n    DMSS. As of June 2002, DARPA had access and physical security controls in\n    place. Access controls included password protection, intrusion detection software,\n    and information assurance vulnerability alerts. Physical security controls included\n    electronic card access to office suites, color-coded identification badges, and\n    24-hour security the Arlington County Police Department provided. However, the\n    key DARPA information assurance staff positions were not aligned in a way that\n    ensures segregation of duties and the required checks and balances in the DITSCAP\n    for DMSS. Furthermore, DARPA did not formally appoint three of the four key\n    information assurance staff positions required to ensure checks and balances during\n    the certification process. Also, the DAA was not within the operational chain of\n    command, as the DITSCAP requires. Further, DARPA did not provide support that\n    they had verified that the contractors working on the system had proper security\n    clearances. As a result, DMSS may not have adequate information security\n    operational controls that ensure sensitive information is safeguarded.\n\nDITSCAP Guidance\n    DITSCAP states that the key roles in the certification and accreditation process\n    are those functions that the systems program manager, the DAA, the certification\n    authority, and the user representative perform. The DITSCAP also states that\n    those four roles--program manager, DAA, certification authority, and user\n    representative--each represent different views and as such provide the checks and\n    balances that ensure the minimum security requirements are met. Further,\n    DITSCAP requires that the four key information assurance staff positions be\n    appointed during the first phase of the certification and accreditation process.\n\n\n                                          11\n\x0c     DITSCAP also discusses the roles and responsibilities of each of the four key\n     information assurance positions during all phases of the certification and\n     accreditation process. The program manager represents the interests of the\n     system acquisition or maintenance organization with engineering, schedule, and\n     funding responsibility. The DAA represents the interest of the organization\n     mission needs, controls the operating environment, and defines the system level\n     security requirements. In addition, the DAA should be a senior member of the\n     operational chain of command where the system is operating. The certification\n     authority provides the technical expertise to conduct the certification by testing\n     the security controls. The interests of the users are vested in the user\n     representative. The user representative is concerned with systems availability,\n     access, integrity, functionality, and performance.\n\nResults of Review\n     The key DARPA information assurance staff positions were not aligned in a way\n     that would ensure segregation of duties necessary for the checks and balances to\n     ensure minimum security requirements for DMSS. A description of the duties for\n     each of the key information assurance staff positions was included in \xe2\x80\x9cDARPA\n     Management Support System (DMSS) Information System Security Plan,\xe2\x80\x9d\n     November 15, 2001 (System Security Plan). According to the list in the System\n     Security Plan, both the DAA and certification authority positions were listed as\n     duties the Director of the Security and Intelligence Directorate performed.\n     Assigning both of those key positions to the same management official does not\n     provide adequate checks and balances of key management oversight functions.\n     The DAA oversight management function is to define the system level security\n     requirement and the certifying authority is to test the security controls for\n     compliance with security requirements. The program manager was listed as the\n     DARPA hardware and software support contractor. The user representative was\n     listed as the Director of the Information Resources Directorate.\n\n     Additionally, DARPA did not formally appoint three of the four key information\n     assurance staff positions. Of the four key information assurance positions--program\n     manager, DAA, certification authority, and user representative--the DAA was the\n     only official formally appointed as of June 2002. The one formally appointed key\n     information assurance position, the DAA for DARPA automated information\n     systems, was the Director of the Security and Intelligence Directorate rather than an\n     official from the operational chain of command such as an official from the\n     DARPA Information Resources Directorate. DARPA officials stated that the\n     certification authority, user representative, and program manager would not be\n     formally appointed until DMSS was accredited. DARPA planned to have DMSS\n     accredited by September 30, 2002. DARPA reported in the management comments\n     to the draft report that DMSS was accredited on September 6, 2002 which included\n     documentation of the certification authority, project manager, and user\n     representative positions.\n\n     On-site contractor personnel provided DMSS information security functions as\n     well as software and hardware support. The System Security Plan requires that all\n     personnel having access to DMSS have a SECRET security clearance or higher.\n\n\n\n                                          12\n\x0c    DARPA did not provide us with any supporting documentation that they had\n    verified contractor personnel security clearances prior to granting access to DMSS.\n\n\nManagement Comments on the Finding and Audit Response\n    DARPA Comments on Physical Security Controls. DARPA stated the report\n    implied the only physical security control in place as of August 1, 2001, was the\n    electronic card access system.\n\n    Audit Response. We revised the discussion to reflect that additional physical\n    security controls were in place.\n\n    DARPA Comments on Red and Blue Team Assessment. DARPA stated that\n    the draft report was incorrect in stating that DARPA had a blue team assessment\n    in February 2000; the blue team assessment was documented in 2002. The\n    document cited in the draft report was not a blue team assessment but an\n    independent vulnerability assessment.\n\n    Audit Response. We revised the discussion to state that the positive matrix\n    response (February 2000 date) submitted by DARPA for blue team assessment\n    was incorrect.\n\n    DARPA Comments on Connection Approval. DARPA stated that the\n    discussion section on Connections was incorrect. DARPA stated that DMSS is\n    connected to a larger backbone network (the Internet). That connection is based\n    on a waiver granted by ASD(C3I).\n\n    Audit Response. We revised the discussion to state that the DARPA matrix\n    answer was correct.\n\n    A summary of DARPA comments on the finding and our audit response is in\n    Appendix C. The complete text of DARPA comments is in the Management\n    Comments section of this report.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    1. We recommend that the Director, Defense Advanced Research Projects\n    Agency formally appoint a program manager, certification authority, and\n    user representative for the Defense Advanced Research Projects Agency\n    Management Support System and require appointments that are\n    organizationally aligned in a way that will provide checks and balances the\n    DoD Information Technology Security Certification and Accreditation\n    Process requires.\n\n    DARPA Comments. DARPA nonconcurred, stating that alignment of\n    information assurance staff positions is correct and appropriate for DARPA. Also,\n\n\n                                        13\n\x0cDARPA stated that it follows DITSCAP requirements to achieve the checks and\nbalances appropriate for DARPA. DITSCAP places the decisions involved in\nthose assignments at the Component level. Further, DARPA stated that the three\nkey positions were documented at the formal accreditation signing in September\n2002.\n\nAudit Response. DARPA comments were nonresponsive. DITSCAP requires\nthat the key roles (DAA, program manager, certification authority, and user\nrepresentative) must be appointed during the first phase of the certification and\naccreditation process. Additionally, DITSCAP states that \xe2\x80\x9cthe DAA, the CA\n[certification authority], the program manager, and the user representative each\nrepresent different views and as such provide the checks and balances to ensure the\nminimum-security requirements are met.\xe2\x80\x9d As of the end of the audit period,\nAugust 2002, DARPA had not formally appointed three of the four key\ninformation assurance staff positions. Only the DAA had been appointed and\nDARPA officials stated that the certification authority, user representative, and\nprogram manager would not be formally appointed until DMSS was certified.\nDARPA comments indicate that the appointments were documented at the formal\naccreditation. We request the supporting documentation. Further, according to the\nlist in the DARPA System Security Plan (an operational document dated\nNovember 15, 2001, 3 months after DARPA submitted the GISR Act matrix data)\nboth the DAA and certification authority positions were listed as duties the\nDirector of the Security and Intelligence Directorate performed. Assigning both of\nthose key positions to the same management official does not provide adequate\nchecks and balances of key management oversight functions. We request that\nDARPA reconsider its position on the recommendation and provide additional\ncomments and documents in response to the final report.\n\n2. We recommend that the Director, Defense Advanced Research Projects\nAgency verify that the certification authority and designated approving\nauthority are separate and independent from each other.\n\nDARPA Comments. DARPA nonconcurred, stating that those positions are and\nhave been separate and independent since the initiation of the DITSCAP work.\nFurther, DARPA stated that the Chief Information Officer \xe2\x80\x9csupervises both\npositions to ensure independent work, advice, and visibility and resolution of any\nconflict.\xe2\x80\x9d\n\nAudit Response. DARPA comments were nonresponsive. DARPA did not\nprovide supporting documentation that verified the independence of the\ncertification authority and the DAA given that both the DAA and certification\nauthority positions were listed as duties the Director of the Security and\nIntelligence Directorate performed. We request that DARPA provide\ndocumentation that demonstrates that the certification authority and DAA are\nseparate and independent from each other in its response to the final report.\n\n3. We recommend that the Director, Defense Advanced Research Projects\nAgency properly document the security clearance levels for all of the\ninformation systems contract support personnel that have access to the\nDefense Advanced Research Projects Agency Management Support System.\n\n\n\n                                    14\n\x0cDARPA Comments. DARPA nonconcurred, stating that the documentation has\nalways existed, but was not requested.\n\nAudit Response. DARPA comments were nonresponsive. We requested but\nDARPA did not provide documentation that it verified the security clearances of\ncontractor support personnel before granting access to DMSS because security\nclearances were not specifically addressed on the GISR Act matrix. We request\nthat DARPA provide the supporting documentation to demonstrate that contractor\npersonnel security clearances are verified before they gain access to DMSS in\nresponse to the final report.\n\n\n\n\n                                  15\n\x0cAppendix A. Scope and Methodology\n    We verified and validated the DMSS data supporting the DoD GISR Act Report.\n    We also performed a DMSS site operational review at DARPA to validate\n    operational controls. To accomplish the audit objective, we:\n\n        \xe2\x80\xa2   reviewed Public Law 106-398, Office of Management and Budget\n            guidance, and the DoD regulations and guidance related to the GISR Act;\n\n        \xe2\x80\xa2   interviewed DMSS personnel in DARPA responsible for the GISR Act\n            matrix submission;\n\n        \xe2\x80\xa2   verified the information reported on the GISR Act data collection matrix.\n            Our verification consisted of reviewing the documentation that supported\n            the answers DARPA provided on the GISR Act collection matrix as of\n            August 1, 2001; and\n\n        \xe2\x80\xa2   reviewed site operations that documented the presence of operational\n            controls at DARPA.\n\n    We performed this audit from April through August 2002 in accordance with\n    generally accepted government auditing standards. We did not review the\n    management control program because DoD recognized information assurance\n    programs as a material weakness in its FY 2000 Statement of Assurance, which\n    was the most recent, signed Statement of Assurance.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in DoD. This report provides coverage of\n    the Information Security high-risk area.\n\nPrior Coverage\n    No prior coverage has been conducted on DMSS during the last 5 years.\n\n\n\n\n                                       16\n\x0cAppendix B. Government Information Security\n            Reform Act Collection Matrix Submission\n     We evaluated the DMSS GISR Act collection matrix that DARPA submitted as of\n     August 1, 2001, to ASD(C3I). The following is a summary on the data ASD(C3I)\n     requested, the response from DARPA, and our audit analysis of the response for 27 of 321\n     fields on the data collection matrix. A list of acronyms is at the end of this appendix.\n\n                                       Accreditation Information\n\n                                  DARPA\n   Data Requested                Response2                                 Audit Results\n\n Accredited? (Date)            Pending             DMSS was not accredited.\n\n                                                   DARPA stated in comments to the draft report that\n                                                   DMSS was accredited on September 6, 2002.\n\n Interim authority to          July 15, 2001       The matrix response should have been July 17, 2001,\n operate? (Date)                                   the date of the interim authority to operate. The\n                                                   DAA, Director of Security and Intelligence\n                                                   Directorate, granted interim authority to operate the\n                                                   DMSS for 3 months.\n\n                                                   The interim authority was renewed three times since\n                                                   July 17, 2001. The most recent interim authority to\n                                                   operate the DMSS was granted February 22, 2002,\n                                                   and valid until September 30, 2002. However,\n                                                   DARPA reported in the management comments to\n                                                   the draft report that DMSS was accredited on\n                                                   September 6, 2002.\n\n Accreditation under           Yes                 The DARPA response was incorrect. DARPA\n DITSCAP?                                          should have responded \xe2\x80\x9cno\xe2\x80\x9d because DMSS was not\n                                                   accredited as of August 1, 2001.\n\n                                                   DARPA was following DITSCAP to certify and\n                                                   accredit DMSS and stated in comments to the draft\n                                                   report that DMSS was accredited on\n                                                   September 6, 2002.\n\n     1\n         We did not include in the matrix five administrative information data fields that identified the system. One\n         administrative information data field was answered incorrectly by DARPA. (DMSS was not a\n         mission-critical system but a mission-essential system as stated in the DoD Information Technology\n         Registry.) Of the 27 DARPA responses in this matrix, 4 were incorrect and 8 could not be verified\n         because DARPA did not provide sufficient documentation.\n     2\n         Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n                                                        17\n\x0c                               Accreditation Information (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\n\nNot DITSCAP,                 Blank               DMSS was not accredited prior to the current effort\ndescribe other.                                  to accredit under DITSCAP.\n\nFormal                       No                  No formal SSAA had been developed for DMSS.\ndocumentation in\neffect? (SSAA or                                 Since August 2001, DARPA developed an in-process\nother certification                              SSAA.\nand accreditation\ndocumentation)\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      18\n\x0c                                  Assessment Criteria Information\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\nAccess controls in           Yes                DARPA did not provide documentation that\nplace?                                          supported the \xe2\x80\x9cyes\xe2\x80\x9d response for having access\n                                                controls in place as of August 1, 2001. As a result,\n                                                we could not verify the response.\n\n                                                However, DARPA had developed in-process\n                                                documents since August 2001 that confirmed the\n                                                DMSS used passwords and user accounts.\n                                                   \xe2\x88\x92 User accounts were user\xe2\x80\x99s first name initial and\n                                                     last name.\n                                                   \xe2\x88\x92 Valid passwords were at least nine\n                                                     alphanumeric characters, with both upper and\n                                                     lower case, and had at least one special\n                                                     character.\n                                                   \xe2\x88\x92 After five unsuccessful login attempts, the\n                                                     DMSS user account was locked out and\n                                                     service was denied for 60 minutes. If access\n                                                     was needed sooner, the DARPA Help Desk\n                                                     unlocked the account.\n                                                   \xe2\x88\x92 Passwords expired every 90 days.\n\nRisk Assessment              Yes                 DARPA had a risk assessment and management plan\nand Management                                   completed as of August 1, 2001.\nPlan completed?\n                                                 The plan listed procedures for determining minimum\n                                                 information system security requirements.\n\nSystem Life-Cycle            No                  DARPA did not have a DMSS System Life-Cycle\nPlan exists?                                     Plan as of August 1, 2001.\n\n                                                 However, DARPA has a system life-cycle\n                                                 requirement that called for hardware and software to\n                                                 be replaced when or before either reaches a\n                                                 predetermined age.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      19\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\n\nSystem Security              No                  DARPA did not have a DMSS System Security Plan\nPlan in place?                                   as of August 1, 2001.\n\n                                                 However, since that time, DARPA developed a\n                                                 DMSS System Security Plan. The plan serves as a\n                                                 security policy document and provides security\n                                                 services for protection of information systems.\n                                                 Further, the plan identifies security mechanisms in\n                                                 place on the DMSS and was expanded to include\n                                                 security policies and procedures necessary to support\n                                                 the changing environment.\n\nProper personnel             Yes                DARPA did not provide documentation that\nsecurity measures in                            supported the \xe2\x80\x9cyes\xe2\x80\x9d response for having personnel\nplace? (includes                                security controls in place as of August 1, 2001. As a\nassignment of duties                            result, we could not verify the response. However,\nand segregation of                              DARPA developed in-process documents since\nduties)                                         August 2001 that confirmed the DMSS had personnel\n                                                security controls in place. DMSS had segregation of\n                                                duties, with varying levels of access and control.\n\n                                                    \xe2\x88\x92 The individual must have at least a SECRET\n                                                      clearance and been granted access based on a\n                                                      \xe2\x80\x9cneed to know.\xe2\x80\x9d\n                                                    \xe2\x88\x92 The individual had received appropriate\n                                                      training in system capabilities and security\n                                                      procedures.\n                                                    \xe2\x88\x92 Foreign nationals who possessed a SECRET\n                                                      clearance may be granted access to the DMSS\n                                                      only after written approval of the DAA and\n                                                      only to the unclassified network.\n\n                                                Passwords were changed every 90 days. Accounts\n                                                were terminated when the user was no longer actively\n                                                employed or for misuse.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      20\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\n\nPhysical security            Yes                 As of August 1, 2001, we verified that a 24-hour\ncontrols in place?                               electronic card access system and other after-\n                                                 business-hours controls, such as closed-circuit\n                                                 television and unarmed guards, were providing the\n                                                 primary access controls for the DARPA office suites.\n\n                                                 Since August 2001, DARPA implemented additional\n                                                 physical security controls, to include armed guards,\n                                                 and an Arlington County police officer was stationed\n                                                 outside of the DARPA main building 24 hours a day.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      21\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\n\nAdministrative               Yes                 DARPA did not provide documentation that\ncontrols in place?                               supported the \xe2\x80\x9cyes\xe2\x80\x9d answer as of August 1, 2001. As\n(includes help desk                              of August 1, 2001, we verified that DARPA had a\nand audit trail)                                 help desk, but we could not verify that DARPA had\n                                                 established audit trails. However, DARPA provided\n                                                 documentation indicating that audit trails have been\n                                                 established subsequent to August 1, 2001.\n\nContingency Plans            Yes                 The DARPA response was incorrect. DARPA\nin place?                                        should have responded \xe2\x80\x9cno\xe2\x80\x9d because the \xe2\x80\x9cyes\xe2\x80\x9d\n                                                 response was based on a contingency plan for 2000.\n                                                 That plan addressed only 2000 activities and did not\n                                                 address contingency operations in a broader context.\n\n                                                 Since August 2001, DARPA developed an in-process\n                                                 Business Resumption Plan that provided the\n                                                 procedures necessary to recover critical DARPA\n                                                 business functions in the event of a disaster.\n\nDate contingency             December 30,        The DARPA response was incorrect. The DARPA\nplans last exercised?        1999                2000 Contingency Plan was exercised in the\n                                                 December 1999 time frame but was performed for\n                                                 2000 concerns and not applicable to current\n                                                 conditions.\n\nHardware and         Yes                         DARPA did not provide documentation that\nsystem software                                  supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001.\nmaintenance plans in                             As a result, we could not verify the response.\nplace? (includes\nversion control                                  Since August 2001, DARPA developed a\ntesting)                                         configuration management plan, used to manage\n                                                 configuration of DMSS hardware and software. In\n                                                 addition, DARPA chartered the DARPA\n                                                 Configuration Control Board to control the DMSS\n                                                 configuration. The board was to establish procedures\n                                                 for controlling changes in configuration items.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      22\n\x0c                           Assessment Criteria Information (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                                Audit Results\n\nData integrity               Yes                 DARPA did not provide documentation that\nprocess in place?                                supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001.\n(includes virus                                  As a result, we could not verify the response.\nscans, system\nperformance                                      DARPA subsequently developed in-process\nmonitoring)                                      documents that confirmed the DMSS has a data\n                                                 integrity process in place.\n\n                                                 Virus scans and communication encryption software\n                                                 protected DMSS.\n\nSecurity incident            Yes                 DARPA did not provide documentation that\nresponse plan in                                 supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001.\nplace?                                           As a result, we could not verify the response.\n\n                                                 DARPA did not provide documentation that\n                                                 indicated\n                                                 the current status.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n                                                      23\n\x0c                        Operations and Assessments Interest Items\n\n                                DARPA\n  Data Requested               Response2                               Audit Results\n\nProtected by IDS             Yes                 DARPA did not provide documentation that\n[Intrusion Detection                             supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001.\nSoftware]?                                       As a result, we could not verify the response.\n\n                                                 However, DARPA developed in-process\n                                                 documents since August 2001 that confirmed IDS\n                                                 protected DMSS.\n\nBoundary protection          Yes                 DARPA did not provide documentation that\nin place? (For                                   supported the \xe2\x80\x9cyes\xe2\x80\x9d response as of August 1, 2001.\nexample, firewall)                               As a result, we could not verify the response.\n\n                                                 DARPA developed in-process documents since\n                                                 August 2001 that confirmed boundary protection\n                                                 (firewalls) protect DMSS.\n\n                                                 Unsuccessful login attempts were tracked.\n\nRed and blue team            February 8,         The DARPA response was incorrect. DARPA\nassessment? (Date)           2000                should not have answered with a date because,\n                                                 according to the DARPA comments on the draft\n                                                 report, an independent vulnerability assessment\n                                                 was performed on February 8, 2000, not a blue\n                                                 team assessment. The blue team assessment was\n                                                 performed in 2002.\n\nConnection                   Yes                 The DARPA response was correct. DARPA stated\napproved?                                        that they had a waiver from ASD(C3I) to connect to\n                                                 the Internet.\n\n\nIAVA [Information            Yes                 We confirmed that the DARPA response was\nAssurance                                        appropriate as of August 1, 2001, because DMSS\nVulnerability Alert]                             was information assurance vulnerability alert\ncompliant?                                       compliant.\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n                                                      24\n\x0c                  Operations and Assessments Interest Items (cont\xe2\x80\x99d)\n\n                                DARPA\n  Data Requested               Response2                               Audit Results\n\nVAAP                         NA                  VAAP was not required and not applicable to\n[Vulnerability                                   DMSS.\nAnalysis and\nAssistance Program]\nassessment\ncomplete? (Date)\n\nJoint Staff integrated No                        No Joint Staff integrated vulnerability assessments\nvulnerability                                    were completed for DMSS.\nassessments\ncomplete? (Date)\n\nSystem requirements No                           No system requirements reviews were completed\nreviews complete?                                for DMSS.\n(Date)\n\nBalance                      No                  No balance survivability assessment was completed\nsurvivability                                    for DMSS.\nassessment\ncomplete? (Date)\n\nIntegrated                   No                  No integrated vulnerability assessment was\nvulnerability                                    completed for DMSS.\nassessment\ncomplete? (Date)\n\n\n\n\n    2\n        Some questions requested a date only. If a date was provided, the implied answer was yes.\n\n\n\n\n                                                      25\n\x0cApplicable Acronyms\n\nASD(C3I)          Assistant Secretary of Defense (Command, Control,\n                     Communications, and Intelligence)\nDAA               Designated Approving Authority\nDARPA             Defense Advanced Research Projects Agency\nDITSCAP           Defense Information Technology Security Certification and\n                     Accreditation Process\nDMSS              Defense Advanced Research Projects Agency Management\n                     Support System\nGISR              Government Information Security Reform\nIAVA              Information Assurance Vulnerability Alert\nIDS               Intrusion Detection Software\nSSAA              System Security Authorization Agreement\nVAAP              Vulnerability Analysis and Assistance Program\n\n\n\n\n                              26\n\x0cAppendix C. Summary of DARPA Comments on\n            the Finding and Audit Response\n    The following is a summary of DARPA comments on the finding and our audit\n    response to those comments.\n\n\nMission and System Information\n    DARPA Comments on Contract Support. DARPA nonconcurred with the report\n    statement, \xe2\x80\x9cIn September 2001, DARPA contracted for DMSS hardware, software,\n    and systems support.\xe2\x80\x9d DARPA stated, \xe2\x80\x9cThe DMSS is a legacy system and has\n    existed since the early 1980s. It and other Information Technology (IT) assets were\n    transferred to the extant contractor under a modified managed services contract\n    awarded in April 2001.\xe2\x80\x9d\n\n    Audit Response. The modified managed services contract was awarded in\n    April 2001 by the Department of Transportation. However, the delivery order on\n    the Department of Transportation contract for DARPA managed services\n    requirements was not issued until September 2001.\n\n\nData Collection Matrix\n    DARPA Comments on Accreditation Method. DARPA nonconcurred with our\n    conclusion that its matrix response on DMSS accreditation under DITSCAP was\n    incorrect. DARPA stated:\n               The matrix question is \xe2\x80\x9cAccreditation under DITSCAP?\xe2\x80\x9d This question\n               asks if DITSCAP is the framework under which accreditation is\n               developed, not whether accreditation has been completed (which is\n               asked separately above it). DARPA is correct to respond \xe2\x80\x9cYes\xe2\x80\x9d in that\n               DARPA was using DITSCAP as the basis for all accreditation and\n               certification work.\n\n    Audit Response. The co-chairman of the GISR Act Integrated Process Team\n    stated that it was the direction and intent of the Office of the Secretary of Defense\n    that activities should respond \xe2\x80\x9cno\xe2\x80\x9d to items where there was no formal/approved\n    documentation. DARPA did not have formal/approved documentation on\n    DITSCAP accreditation for DMSS as of August 1, 2001, the matrix submission\n    date. Therefore, its matrix response should have been \xe2\x80\x9cno\xe2\x80\x9d because DMSS was\n    not accredited under DITSCAP as of August 1, 2001.\n\n    DARPA Comments on Certification and Accreditation Documentation.\n    DARPA nonconcurred with the term \xe2\x80\x9cin-process,\xe2\x80\x9d which was used throughout the\n    report. DARPA stated:\n\n\n\n                                           27\n\x0c           The DoDIG term \xe2\x80\x9cin-process\xe2\x80\x9d is misleading and does not convey the\n           true state of the accreditation documents given to the DoDIG. Those\n           documents were complete and reviewed by senior management at the\n           time they were written. Because the DMSS is a dynamic system, with\n           frequent (often weekly) changes, the supporting documents are under\n           constant revision. They could not, by definition, be \xe2\x80\x9capproved\xe2\x80\x9d until\n           formal accreditation.\n\nAudit Response. We believe \xe2\x80\x9cin-process\xe2\x80\x9d is an appropriate term to describe\ndocuments \xe2\x80\x9cunder constant revision,\xe2\x80\x9d as stated by DARPA.\n\nDARPA Comments on Access Controls. DARPA nonconcurred with our report\nstatement, \xe2\x80\x9cDARPA did not provide documentation that supported the \xe2\x80\x98yes\xe2\x80\x99\nresponse for having access controls in place as of August 1, 2001.\xe2\x80\x9d DARPA\nstated:\n           The DoDIG requested specific documentation in writing. DARPA\n           provided that documentation and did not receive any response stating\n           such documentation was insufficient for their needs.               The\n           documentation provided to the DoDIG was DITSCAP documentation\n           dated after August 1, 2001, which details the physical, technical, and\n           administrative controls in place to protect the DMSS.\n\nAudit Response. We requested access control documentation as of\nAugust 1, 2001, in order to verify the DMSS data provided in the matrix. The\naccess control document DARPA provided us was dated December 10, 2001,\nwhich is after the cut-off date.\n\nDARPA Comments on System Life-Cycle Plan. DARPA nonconcurred with\nthe draft report statement, \xe2\x80\x9cWe confirmed that when DARPA submitted the\nmatrix data as of August 1, 2001, they had not developed a DMSS System Life-\nCycle Plan. However, since that time, DARPA has a system life-cycle\nrequirement that called for hardware and software to be replaced when or before\neither reaches 24 months of age.\xe2\x80\x9d DARPA stated:\n           DAPRA has always had a life-cycle requirement for refreshment of\n           DMSS components. As of April 2001, the effective date of the latest\n           contract for DMSS support, this requirement was 24 months. Prior to\n           that, it was 36 months.\n\nAudit Response. We modified the report, which now reads: \xe2\x80\x9cHowever, DARPA\nhas a system life-cycle requirement that called for hardware and software to be\nreplaced when or before either reaches a predetermined age. \xe2\x80\x9d\n\nDARPA Comments on Personnel Security Measures. DARPA nonconcurred\nwith the report statement that it did not provide documentation that supported the\n\xe2\x80\x9cyes\xe2\x80\x9d response for having personnel security measures in place as of\nAugust 1, 2001. DARPA stated:\n           This is an incorrect statement. The DoDIG requested specific\n           documentation in writing. . . . The documentation provided to the\n\n\n\n\n                                        28\n\x0c          DoDIG was DITSCAP documentation dated after August 1, 2001,\n          which details the controls related to personnel security that were in\n          place to protect the DMSS.\n\nAudit Response. We requested documentation that supported the \xe2\x80\x9cyes\xe2\x80\x9d response\nregarding the presence of personnel security measures as of the date that DARPA\nsubmitted the DMSS matrix data, August 1, 2001. The personnel security\ndocuments DARPA provided were dated November 2001.\n\nDARPA Comments on Physical Security Controls. DARPA stated that the\nsection on Physical Security Controls was misleading, adding:\n          The wording implies that on August 1, 2001, DARPA had only its\n          electronic card access system in place as a physical security control. It\n          implies that the other controls were added after August 1, 2001. All\n          security measures mentioned here, with the exceptions of armed (vs.\n          unarmed) guards and an on-station Arlington County police officer,\n          have been in place at DARPA for many years.\n\nAudit Response. We revised the Physical Security Controls section to reflect\nDARPA concerns.\n\nDARPA Comments on Administrative Controls. DARPA stated that the report\nsection on Administrative Controls contained incorrect statements, specifically\nnoting:\n          The DoDIG requested specific documentation in writing. . . . The\n          documentation provided to the DoDIG was DITSCAP documentation\n          dated after August 1, 2001, which indicates that administrative controls\n          were in place. Similar controls have been in place since the initial\n          implementation of the DMSS in the early 1980s.\n\nAudit Response. We requested administrative control documentation as of\nAugust 2001 to verify the DMSS data provided in the matrix. As stated in the\nDARPA response, the administrative control documentation DARPA provided us\nwas dated after August 1, 2001.\n\nDARPA Comments on Contingency Plans. DARPA provided four separate\ncomments on the contingency plan portion of the report.\n\n   \xe2\x80\xa2   DARPA stated that the report statement indicating that DARPA should\n       have responded \xe2\x80\x9cno\xe2\x80\x9d because the \xe2\x80\x9cyes\xe2\x80\x9d response was based on the 2000\n       Contingency Plan was incorrect. DARPA stated:\n          There is no basis in fact for saying that a Y2K [year 2000] contingency\n          plan is not appropriate for future use. . . . That documentation, with its\n          detailed procedures for responding to a wide range of disruptions,\n          including total system replacement, was a highly useful contingency\n          plan on August 1, 2001.\n\n\n\n\n                                        29\n\x0c   \xe2\x80\xa2   DARPA stated that the report was incorrect in stating that the contingency\n       plan discussed two DARPA mission-essential systems: the main DARPA\n       building and the financial information system. DARPA stated:\n          There is only one DARPA system, which is the mission-essential\n          DMSS, so named in the DoD Y2K Data Base, which preceded the\n          DoD IT Registry. The voluminous plan discusses nothing but the\n          DMSS, DARPA\xe2\x80\x99s single local area network, including all attachments\n          and peripherals.\n\n   \xe2\x80\xa2   DARPA stated that the report was incorrect with respect to the statement\n       that DARPA should not have provided a date because the exercise was\n       based on a year 2000 contingency plan. DARPA stated:\n          [T]here is no basis for categorically stating the plan should not have\n          been used for an exercise just because it was developed for Y2K\n          concerns. In fact, it is as good and appropriate a plan as could have\n          been used at the time, with no additional costs incurred.\n\n   \xe2\x80\xa2   DARPA also nonconcurred with the statement in the report, \xe2\x80\x9cFurthermore,\n       the 2000 Contingency Plan exercise focused only on interruptions\n       for 2000.\xe2\x80\x9d\n          This is an incorrect statement. . . . [T]he 2000 Contingency Plan\n          provides detailed procedures covering the widest possible range and\n          degree of disruptions, whether those disruptions might be caused by\n          utility failures, fire, flood, malicious intent, or other problems. The\n          DoDIG based its report on less than 1 percent of the Y2K\n          documentation.\n\nAudit Response. DARPA provided a document titled \xe2\x80\x9cDARPA Y2K\nContingency Planning\xe2\x80\x9d to the audit team in response to our request for a\ncontingency plan as of August 1, 2001. The document stated that \xe2\x80\x9cDARPA has\ntwo \xe2\x80\x98mission-essential\xe2\x80\x99 systems, the main DARPA building and the financial\ninformation system.\xe2\x80\x9d The document did not mention DMSS or a similar legacy\nsystem that predated DMSS. DARPA did not indicate that this was a partial or\nincomplete document. If documents existed, they were not provided. DARPA\nresponded in the matrix that DMSS was last exercised December 30, 1999. We\nverified that the contingency plan was exercised in the December 1999 time frame.\nHowever, DARPA should not have answered with a date because the exercise was\nbased on a year 2000 contingency plan. Furthermore, the 2000 Contingency Plan\nexercise focused only on interruptions for 2000.\n\nDARPA Comments on Hardware and Software Maintenance Plans. DARPA\nstated that the report section on Hardware and System Software Maintenance\nPlans was incorrect in stating that the \xe2\x80\x9cyes\xe2\x80\x9d answer was incorrect. DARPA stated\nit had hardware and software maintenance plans in place prior to August 1, 2001.\n\nAudit Response. We requested hardware and software maintenance plan\ndocumentation as of August 2001, to verify the DMSS data provided in the\nmatrix. The hardware and software maintenance plan documentation DARPA\nprovided was dated after August 1, 2001.\n\n\n                                       30\n\x0cDARPA Comments on Data Integrity Process. DARPA stated that the report\nsection on Data Integrity Process was incorrect, adding:\n          The documentation provided to the DoDIG was DITSCAP\n          documentation dated after August 1, 2001, which details an in-place\n          data integrity process that protects DMSS data . . . . Similar procedures\n          have been in place since the initial implementation of the DMSS in the\n          early 1980s.\n\nAudit Response. We requested data integrity process documentation as of\nAugust 2001 to verify the DMSS data provided in the matrix. The data integrity\nprocess documentation DARPA provided was dated after August 1, 2001.\n\nDARPA Comments on Security Incident Response Plan. DARPA stated that\nthe statement about documentation in the Security Incident Response Plan section\nwas incorrect, adding:\n          The DoDIG requested specific documentation in writing. . . . The\n          documentation provided to the DoDIG details our security incident\n          response plan that is in place to protect the DMSS from adverse events\n          that could cause a failure of security mechanisms or when an attempted\n          breach of these mechanisms occurs.\n\nAudit Response. We requested security incident response plan documentation as\nof August 2001 to verify the DMSS data provided in the matrix. We did not\nreceive any Security Incident Response Plan documentation. Therefore, we could\nnot verify the matrix response.\n\nDARPA Comments on Intrusion Detection Software and Firewalls. DARPA\nstated that the report sections on Intrusion Detection Software and Firewalls\ncontained incorrect statements, adding:\n          The DoDIG requested specific documentation in writing.\n          Documentation was provided to the DoDIG that details boundary\n          protections, specifically in the form of firewalls, intrusion detection\n          systems, and network topology in place to support protection of the\n          DMSS from external threats. These systems have been in place since\n          DARPA funded research and development of these technologies in the\n          early 1990s.\n\nAudit Response. We requested intrusion detection software and firewall\ndocumentation as of August 2001 to verify the DMSS data provided in the matrix.\nThe intrusion detection software and firewall documentation DARPA provided us\nwas dated after August 1, 2001.\n\nDARPA Comments on Red and Blue Team Assessment. DARPA stated that\nthe report section on Red and Blue Team Assessment was incorrect. DARPA\nstated, \xe2\x80\x9cThe blue team assessment was performed and documented in 2002. The\nindependent vulnerability assessment was performed February 8, 2000, as stated\nin the report.\xe2\x80\x9d\n\n\n\n\n                                        31\n\x0c    Audit Response. DARPA responded in the matrix that DMSS had a blue team\n    assessment performed on February 8, 2000. DARPA provided a document\n    described as documentation of the February 8, 2000, blue team assessment. In\n    its comments, DARPA states that an independent vulnerability assessment, not\n    a blue team assessment, was performed on that date. In keeping with the\n    clarification, we have revised the report to state that the DARPA matrix answer\n    showing that a blue team assessment was done in February 2000 was incorrect.\n\n    DARPA Comments on Connections. DARPA stated the report section on\n    Connections was incorrect. DARPA stated that DMSS is connected to a larger\n    backbone network (the Internet), for which ASD(C3I) granted a waiver.\n\n    Audit Response. We have revised the report to state that the DARPA matrix\n    answer was correct. We request that DARPA provide documentation of the\n    ASD(C3I) waiver in response to the final report.\n\n\nSite Operational Review\n    DARPA Comments on Segregation of Duties. DARPA disagreed with the\n    report\xe2\x80\x99s statement that key information assurance staff positions were not aligned\n    in a way that ensures segregation of duties and the required checks and balances.\n    DARPA stated:\n               DITSCAP leaves the determination of proper checks and balances to\n               the discretion of the Component. Further, DARPA has ensured\n               segregation of duties with checks and balances through a CIO [Chief\n               Information Officer] policy memorandum and separation of\n               responsibilities guidance provided to the DoDIG.\n\n    Audit Response. Section E3.3.3.6. of the DITSCAP states, \xe2\x80\x9cThe DAA, the CA\n    [certification authority], the program manager, and the user representative each\n    represent different views and as such provide the checks and balances to ensure\n    the minimum-security requirements are met.\xe2\x80\x9d The documentation provided by\n    DARPA indicated that the DAA and the certification authority were the same\n    person.\n\n    DARPA Comments on Key Information Assurance Staff Positions. DARPA\n    stated that the report is incorrect in stating that DARPA did not formally appoint\n    three of the four key information assurance staff positions required to ensure\n    checks and balances during the certification process. DARPA stated:\n               The DoDIG is incorrect in stating that these positions are required\n               during the certification process.       DITSCAP requires only that\n               individuals be identified, which DARPA did early in the process.\n               Further, while checks and balances are required, they are not\n               necessarily embodied in these positions, as the choice and\n               implementation of checks and balances is under Component discretion.\n               DITSCAP \xe2\x80\x9callows these four managers to tailor . . . efforts to the\n               particular mission . . . of the system.\xe2\x80\x9d The three key positions were\n               also\n\n\n                                           32\n\x0c           documented at the time of the formal accreditation signing (which for\n           DARPA was September 6, 2002); formal appointment is not required\n           by DITSCAP.\n\nAudit Response. Sections E3.3.3.4. and E4.1.1.1. of the DITSCAP states that the\nkey roles in the DITSCAP certification and accreditation process are the system\nprogram manager, the DAA, certification authority, and user representative.\nFurther, the DITSCAP requires that appointments to those key roles be made\nduring the first phase of the certification and accreditation process. The\nDITSCAP allows tailoring of the certification and accreditation process to suit\nsystem requirements. For example, combining phases of the certification and\naccreditation process may be appropriate for modifying an existing information\nsystem. However, all phases of certification and accreditation, as shown in\nTable E4-1 of the DITSCAP, clearly define roles and responsibilities throughout\nthe process for each of the four key roles.\n\nDARPA Comments on Operational Chain of Command. DARPA stated that\nthe report was incorrect in stating that the DAA was not within the operational\nchain of command as required by the DITSCAP.\n\nAudit Response. Section E4.2.1. of the DITSCAP states, \xe2\x80\x9cThe DAA should be a\nsenior member of the operational chain-of-command where the system is\noperating.\xe2\x80\x9d According to the DARPA Office of Management Operations\nInformation Assurance Policy, \xe2\x80\x9cThe IRD [Information Resources Directorate]\nprovides general computing resources for the DARPA enterprise networks,\nincluding its IA [Information Assurance] functions, consisting of the physical\ninfrastructure (equipment, cabling and software) and support services needed for\nacquisition, development, operations, maintenance and security.\xe2\x80\x9d The policy also\nstates, \xe2\x80\x9cThe Information Assurance office, under S&ID [Security and Intelligence\nDirectorate], provides IA policy, IA technical assistance, IA independent\nverification and validation, and oversight of DARPA IS [information system]\nresources.\xe2\x80\x9d The DARPA DAA was the Director of the Security and Intelligence\nDirectorate rather than an official from the DARPA Information Resources\nDirectorate, which handles operations.\n\nDARPA Comments on Contractor Clearances. DARPA stated that the report\nwas incorrect in stating that DARPA did not provide support that it had verified\nthat contractors working on the system had proper security clearances. DARPA\nstated:\n           The DARPA security control system contains all clearance data for all\n           users of the DMSS. Reports of these data can be generated at any time\n           and could have easily been made available by DARPA.\n\nAudit Response. Security clearance levels are not specifically addressed in the\nmatrix. As a result, DARPA did not provide any supporting documentation that it\nhad verified contractor personnel security clearances prior to gaining access to\nDMSS. A DARPA official agreed to obtain documentation on personnel but did\nnot provide that documentation.\n\n\n\n\n                                       33\n\x0c    DARPA Comments on Information Security Operational Controls. DARPA\n    took strong exception to the report statement that DARPA may not have adequate\n    information security operational controls, stating:\n               DARPA\xe2\x80\x99s controls go far beyond those required. The proof that those\n               controls safeguard DARPA\xe2\x80\x99s information is in independent\n               assessments of the strength of our protections, most recently in the\n               form of a blue team exercise in which no compromises of our system\n               were made.\n\n    Audit Response. We concluded that DARPA may not have adequate information\n    security operational controls in place because, as stated in the report:\n\n       \xe2\x80\xa2   the key DARPA information assurance staff positions were not aligned in\n           a way that ensures segregation of duties and the required checks and\n           balances in the DITSCAP for DMSS;\n\n       \xe2\x80\xa2   DARPA did not formally appoint three of the four key information\n           assurance staff positions required to ensure checks and balances during the\n           certification process;\n\n       \xe2\x80\xa2   the DAA was not within the operational chain of command, as the\n           DITSCAP requires; and\n\n       \xe2\x80\xa2   DARPA did not provide support that it had verified that the contractors\n           working on the system had proper security clearances.\n\n\nDITSCAP Guidance\n    DARPA Comments on DITSCAP Guidance. DARPA nonconcurred with the\n    report statement that the DITSCAP requires the four key information assurance\n    staff positions to be appointed during the first phase of the certification process.\n    DARPA stated:\n               DoD 8510.1-M, DITSCAP Application Manual, in Section C3.4.3.2.1,\n               \xe2\x80\x9cDITSCAP Phase I Activities,\xe2\x80\x9d clearly states \xe2\x80\x9cIdentify the Agency or\n               organization that will serve as the DAA, Certifier, and user\n               representative. Identify individuals and their responsibilities in the\n               C&A [certification and accreditation] process.\xe2\x80\x9d         There is no\n               requirement for appointment. DARPA identified individuals for those\n               key positions, but did not appoint the program manager or user\n               representative until the formal accreditation.\n\n    Audit Response. Section E4.2.1.1. of the DITSCAP states that the key parties\n    throughout the DITSCAP are the system program manager, the DAA, the\n    certification authority, and the user representative. Further, the DITSCAP\n    requires that appointments to those key roles be made during the first phase of the\n    certification and accreditation process. All phases of certification and\n    accreditation, as shown in Table E.4-1 of the DITSCAP, clearly define roles and\n    responsibilities throughout the process for each of the four key roles.\n\n\n                                            34\n\x0cResults of Review\n     DARPA Comments on Alignment of Staff Positions. In response to the report\n     statement that information assurance staff positions were not aligned in a way that\n     would ensure segregation of duties necessary for the checks and balances to\n     ensure minimum security requirements for DMSS, DARPA stated:\n                This statement is incorrect and misleading. The report makes an\n                implicit assumption that there is only one correct way for Components\n                to ensure segregation of duties with proper checks and balances.\n                DITSCAP leaves the determination of proper checks and balances to\n                the discretion of the Component.\n\n     Audit Response. Section E3.3.3.6. of the DITSCAP states, \xe2\x80\x9cThe DAA, the CA\n     [certification authority], the program manager, and the user representative each\n     represent different views and as such provide the checks and balances to ensure\n     the minimum-security requirements are met.\xe2\x80\x9d The documentation provided by\n     DARPA indicated that the DAA and the certification authority were the same\n     person.\n\n     DARPA Comments on Formal Appointments. DARPA nonconcurred with the\n     report statement that three of the four key information security staff positions had\n     not been formally appointed. DARPA stated:\n                This statement is misleading. It implies that these positions are required\n                during the certification process. As stated above, DoD 8510.1-M,\n                DITSCAP Application Manual, in Section C3.4.3.2.1, \xe2\x80\x9cDITSCAP Phase\n                I Activities,\xe2\x80\x9d clearly states, \xe2\x80\x9cIdentify the Agency or organization that will\n                serve as the DAA, Certifier, and user representative. Identify individuals\n                and their responsibilities in the C&A [certification and accreditation]\n                process.\xe2\x80\x9d There is no requirement for appointment. DARPA identified\n                individuals for those key positions, but did not appoint the program\n                manager or user representative until the formal accreditation.\n\n     Audit Response. Section E4.1.1.1. of the DITSCAP states that the key roles in\n     the DITSCAP certification and accreditation process are the system program\n     manager, the DAA, certification authority, and user representative. The\n     DITSCAP also requires that appointments to those key roles must be made during\n     the first phase of the certification and accreditation process. All phases of\n     certification and accreditation, as shown in Table E4-1 of the DITSCAP, clearly\n     define roles and responsibilities throughout the process for each of the four key\n     roles.\n\n     DARPA Comments on the DAA. DARPA nonconcurred with the report\n     statement that the DAA for DARPA automated information systems was the\n     Director of the Security and Intelligence Directorate rather than an official from\n     the operational chain of command, such as an official from the DARPA\n     Information Resources Directorate. DARPA stated:\n                This statement is incorrect. The DAA is, in fact, within the operational\n                chain of command. DARPA maintains a matrixed command structure\n\n\n\n                                               35\n\x0c           for network operations. The DAA plays a critical function in that\n           operation. In fact, the network cannot operate without the expressed\n           consent of the DAA. The DAA has the operational power to shut\n           down the network at any time.\n\nAudit Response. Section E4.2.1. of the DITSCAP states, \xe2\x80\x9cThe DAA should be a\nsenior member of the operational chain-of-command where the system is\noperating.\xe2\x80\x9d According to the DARPA Office of Management Operations\nInformation Assurance Policy, \xe2\x80\x9cThe IRD [Information Resources Directorate]\nprovides general computing resources for the DARPA enterprise networks,\nincluding its IA [information assurance] functions, consisting of the physical\ninfrastructure (equipment, cabling and software) and support services needed for\nacquisition, development, operations, maintenance and security.\xe2\x80\x9d The policy also\nstates, \xe2\x80\x9cThe Information Assurance office, under S&ID [Security and Intelligence\nDirectorate], provides IA [information assurance] policy, IA technical assistance,\nIA independent verification and validation, and oversight of DARPA IS\n[information systems] resources.\xe2\x80\x9d The DARPA DAA was the Director of the\nSecurity and Intelligence Directorate rather than an official from the DARPA\nInformation Resources Directorate, which handles operations. DARPA did not\nprovide documentation on the matrixed command structure.\n\nDARPA Comments on Contractor Clearances. DARPA stated that the report\nwas misleading in making the statement that DARPA did not provide supporting\ndocumentation that it had verified contractor personnel security clearances before\ngranting contractors access to DMSS. DARPA stated:\n           In fact, the DoDIG never asked for such data. The DARPA security\n           control system contains all clearance data for all users of the DMSS.\n           Reports of these data can be generated at any time and could have\n           easily been made available.\n\nAudit Response. Security clearance levels are not specifically addressed in the\nmatrix. As a result, DARPA did not provide any supporting documentation that it\nhad verified contractor personnel security clearances before granting contractors\naccess to DMSS. Although a DARPA official agreed to provide the support on\nthe clearance levels of contractor personnel, that official did not provide the\ndocumentation.\n\n\n\n\n                                       36\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Defense-Wide Information Assurance Program\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Advanced Research Projects Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n   Inspector General, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          37\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                          38\n\x0cDefense Advanced Research Projects\nAgency Comments\n\n\n\n\n                     39\n\x0c40\n\x0c41\n\x0c42\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 3\n\n\n\n\n     Pages 4-11\n\n\n\n\n43\n\x0c44\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n     Revised\n\n\n\n\n45\n\x0c46\n\x0c47\n\x0c48\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n     Revised\n\n\n\n\n49\n\x0cFinal Report\n Reference\n\n\n\n\nPage 11\n\n\n\n\n               50\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 11\n\n\n\n\n     Page 12\n\n\n\n\n51\n\x0cFinal Report\n Reference\n\n\n\n\nPage 13\n\n\n\n\n               52\n\x0c53\n\x0cTeam Members\nThe Readiness and Logistics Support Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nShelton R. Young\nTilghman A. Schraden\nKathryn L. Palmer\nJason T. Steinhart\nSusan R. Ryan\nSharon L. Carvalho\nElizabeth L.N. Shifflett\n\x0c'